I have a file called /etc/crowdsec/parsers/s02-enrich/whitelist_failed_download.yaml which contains
name: whitelist_failed_download
description: "Whitelist failed download"
whitelist:
reason: "404 download trigger FP"
expression:
- "evt.Meta.http_status == '404' and (evt.Parsed.request contains '/downloads/' or evt.Parsed.request contains '/updates/')"
This should allow machines to try and download files which don’t exist. We have a system which tries to download a file based on the machine name. If its there it downloads and updates, if not, it just continues on. It generates 404 errors all the time.
Typing ‘cscli decisions list’ I can see that a client of ours is currently banned due to ‘crowdsec/http-probing’
If I type ‘cscli alerts inspect -d <id>’ it displays me a list of alerts and the related http-path. The path is /Downloads/
The difference being my whitelist contains /downloads and the machine is trying to download from /Downloads
But, this is running on a proxy which fronts a site on IIS and IIS doesn’t care about the case of urls.
My haproxy config doesn’t pay any attention to the url casing.
Is crowdsec case sensitive when matching whitelist rules? Can I set it to not be case sensitive?
I’ve tried searching case sensitivity on the site without finding anything. Maybe its referred to differently?
